| MVISION Version | General Availability (GA) | Release Notes |
| MVISION EDR 4.0.0 | March 15, 2022 | Release Notes |
| MVISION EDR Cloud November 29, 2021 release | November 29, 2021 | Release Notes |
| MVISION EDR 3.5.2 | November 9, 2021 | Release Notes |
| MVISION EDR July Update | July 26, 2021 | Release Notes |
| MVISION EDR 3.5 | July 13, 2021 | Release Notes |
| MVISION XDR | May 17, 2021 | Release Notes |
| MVISION EDR 3.4 | April 27, 2021 | Release Notes |
| MVISION EDR Cloud December release |
December 5, 2020 | Release Notes |
| EDR Client 3.3.0.625 | December 1, 2020 | Release Notes |
| MVISION EDR Cloud November release |
November 6, 2020 | Release Notes |
| MVISION EDR 3.2 Hotfix 1 | September 22, 2020 | Release Notes |
| MVISION EDR 3.2 | August 12, 2020 | Release Notes (Client and Extension 3.2.0.567.2) |
| MVISION EDR 3.1 | April 21, 2020 | Release Notes NOTE: MVISION EDR is a cloud product. The GA date is the latest release. Cloud Release Notes are cumulative. |
| MVISION EDR 3.0 Hotfix 1 | December 20, 2019 | |
| MVISION EDR | October 22, 2019 |
MVISION EDR Known Issues
Technical Articles ID:
KB91275
Last Modified: 6/22/2022
Last Modified: 6/22/2022
Environment
MVISION EDR
MVISION XDR
NOTE: Any future product functionality or releases mentioned in the Knowledge Base are intended to outline our general product direction and should not be relied on, either as a commitment, or when making a purchasing decision.
MVISION XDR
NOTE: Any future product functionality or releases mentioned in the Knowledge Base are intended to outline our general product direction and should not be relied on, either as a commitment, or when making a purchasing decision.
Summary
Recent updates to this article
Contents
Click to expand the section you want to view:
Back to top
| Date | Update |
| June 22, 2022 | Updated SEC-106105 with a Workaround. |
| June 15, 2022 | Added SEC-106105 to Critical known issues. |
| April 22, 2022 | Added Resolved in MV-EDR version for SEC-104788 under Critical known issues. |
| April 11, 2022 | Added SEC-104788 to Critical known issues. |
| March 17, 2022 | Added MVISION EDR 4.0.0 release details. |
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Contents
Click to expand the section you want to view:
| Reference Number | Related Article | Found in MV-EDR version |
Resolved in MV-EDR version |
Issue Description |
| SEC-106105 | 4.0.0 | Issue: Columns containing IPV4/IPV6 values aren't converted to readable values. The columns contain data exported to your S3 bucket. The sources are ePO Audit Logs and Threatevent source types from the MDR workflow. Workaround: The data exported from our data sources to configured external S3 buckets will have IP addresses presented as a signed integer (negative number). When consuming the data exported into S3 buckets, apply appropriate conversion logic to convert the number back to an IP address. Use the below conversion logic to convert the number back into an IP address, when processing the data from the S3 bucket. { //add 2^31 to put the integer representation in the range [0,2^32-1] because of MAX_INT being 2^31-1 long ip1 = ((ip + 2147483647) + 1); return ((ip1 >> 24) & 0xFF) + "." + ((ip1 >> 16) & 0xFF) + "." + ((ip1 >> 8) & 0xFF) + "." + (ip1 & 0xFF); } To convert these base64 encoded strings to IVP6 format (java), use the below conversion logic: { String encoded = "AAAAAAAAAAAAAP//Cmjguw=="; <- Base 64 encoded string of IPV6. byte[] decoded = Base64.getDecoder().decode(encoded); <- Decoded byte array Inet6Address ip1 = Inet6Address.getByAddress(null, decoded,0); <- Converting byte array to IPV6. System.out.println(ip1.getHostAddress()); <- Stdout host address. 0:0:0:0:0:ffff:a68:e0bb%0 (IPV6 of above encoded string, remove the last %0) } |
||
| SEC-104788 | 4.0.0 | Planned for 4.1.0 | Issue: Trace functionality isn't working in some virtual environments owing to a third-party DLL dependency that fails to load. Solution: Currently planned for 4.1.0. An updated version of the third-party DLL resolves the issue. We currently plan to include this updated DLL 4.1.0. |
|
| KB95371 | Issue: The March 15, 2022 MVISION EDR 4.0 release contains only the Windows client package. Linux and macOS packages aren't included in the March 15 package. Solution: See the related article. |
|||
| SEC-48028 | KB94656 | 3.5 | - | NOTE: This issue is applicable for EDR 3.5 clients and customers using S3 functionality. Issue: An issue exists wherein if EDR is configured to send traces to both the EDR Cloud and also to the customer's own S3 service, traces aren't sent to the EDR Cloud. This issue is seen only when the S3 access credentials are misconfigured (for example, invalid access key). If you encounter this issue, make sure that your AWS credentials are valid and your AWS services and settings are correctly configured. NOTE: We recommend that customers test any IAM credentials to make sure that they allow objects to be written to the target S3 bucket, and monitor S3 bucket access and usage. |
| Reference Number | Related Article | Found in MV-EDR version |
Resolved in MV-EDR version |
Issue Description |
| Issue: The MVISION EDR manager doesn't show custom reactions, or the list is stale. Workaround: To show the EDR Custom Reactions, clear the browser cache and cookies. Perform your action again. |
||||
| SEC-86489 | Issue: RTS result API displays 404 (Not found category) error with the following message: Error Description: No records found or endpoints are taking too long to respond. NOTE: This error is valid only if the attached endpoints have data to return, but no records are found. This error is invalid if attached endpoints have no data to render. Resolution: Increased load is handled internally by scaling up resources. Workaround: Retry the API call after 1–2 minutes. |
|||
| SEC-85193 | Issue: Source IP and Port aren't displayed. They're populated as 0 (zero) for network connection artifacts in the Device search. Resolution: These values aren't applicable to Linux devices. When 0 (empty null value) is returned, EDR populates the source IP, source port, destination IP, and destination port with unknown. |
|||
| SEC-64704 | - | Issue: Historical Search - Process reattribution fields or columns aren't easy to find. | ||
| SEC-36074 | - | Issue: Vulnerability Actions aren't shown in actions (pending SEC-50492). | ||
| SEC-46898 | - | Issue: The MVISION EPO or EDR client fails to upload a snapshot. | ||
| SEC-50492 | - | Issue: SIEM Action options aren't available on the EDR dropdown for Device Actions in the EDR UI. | ||
| SEC-49207 | - | Issue: Historical search fails with AR-1104 intermittently through the UI during a programmatic or script performance test. | ||
| SEC-49599 | - | Issue: When AC times out responding to the query, the UI displays the error message |
||
| SEC-46277 | - | Issue: Auto Suggestion operator doesn't work for a compound query with CommandLine. | ||
| SEC-49287 | - | Issue: When you apply filters to perform the analysis and later clear them, the results get refreshed through an API call. | ||
| SEC-48803 | - |
Issue: The user performs one of the following actions:
In the above scenarios, the Filepath and CommandLine fields in the Monitoring Exclude threat sections aren't populated and are empty.
|
||
| SEC-46777 | - | Issue: Granular Exclusion: Exclusions with escape or special characters should be cleaned up before matching. | ||
| SEC-45793 | - | - | Issue: In the Historical Search dashboard, when you type a commandLine query, suggestions don't appear. | |
| SEC-43301 | - | 3.2.0 | - |
Issue: When you use the MVISION EDR API, you see that the API events exceed the defined event limits. Although the Case Management runbook supplied with the APIs mentions limits, it doesn't clearly state how to set limits in actual numbers.
The API for rate limiting is Rate limits can be applied to the actions below:
The default rate-limits are as below:
{// Rate Limits default values. // Use API to change rate limits. // new case by tenant new-case = [ { max = 10 duration = "1 hour"} { max = 20 duration = "1 day"} ] // new evidence by case by tenant new-evidence-to-case = [{max = 10 duration = "1 hour"} ] // new evidence by tenant new-evidence = [{max = 10 duration = "1 hour"} ] } |
| SEC-41123 | - | 2.4.0.723 | - | Issue: Scheduled Reboot Reaction might not work on some Linux platforms (RHEL and SUSE) even though success is returned in Action History. Cause: The Scheduled Reboot Reaction uses the Linux "at" scheduling service to schedule the reboot. This service might not run by default on all Linux platforms. Workaround: Install the "at" service and make sure that the |
| SEC-37830 | - | 3.3.0 | Issue: Action History shows as 'Completed' with an error message after action "Scheduled Reboot." | |
| SEC-42307 | - | 3.4.0 | Issue: BigSur operating system isn't listed on EDR UI. | |
| SEC-38300 | - | - | - | Issue: Two or more open tabs while using MVISION EDR might cause a user to be logged out due to inactivity. The same applies to any other tab that uses products that rely on the same identity service. For example, MVISION ePO and MVISION Cloud. Cause: MVISION EDR checks for activity independently in each tab. After 20 minutes of inactivity, MVISION EDR invalidates the token, which logs off the user. Workaround: Minimizing the number or closing any open tabs that remain inactive for longer than 20 minutes reduces the probability of a logoff occurrence. |
| SEC-28420 | EKS+1 | EKS+2 |
Issue: When you run Historical search queries that contain more than three days of information and use include or exclude filters, you see the error below:
Solution: Narrow your query. Include less than three days of information or remove the include or exclude filters. |
|
| SEC-35451 | Issue: No event type is displayed for a process activity in the table view of the Process Activity section from the Monitoring Dashboard. Cause: For some specific process activity that occurs close in time to the start of the process, the result can be that this activity has a time stamp earlier than that of the process that originates the activity. The UI relates that process with the same time stamp as that of the process created time displaying two events in the same row. Workaround: Click the activity and view the different events that are related to that row in the table. Then, you can see the details of both events. |
|||
| SEC-35418 | Issue: There's a delay in the visibility of events that are generated in the endpoint through the Historical search for just one endpoint. Cause: MVISION EDR time filters use the time specified in the Endpoint, which is the time when the activity occurs. But, an endpoint can have a wrong time configuration that is ahead of the current time or behind it. If it's ahead, filters such as for the last four hours don't show that activity until the current time is reached. Solution: Correct the time configured in the endpoint. |
|||
| SEC-35413 | Issue: Filtering by "Observed Techniques" or "Suspicious Indicators" in the Monitoring dashboard doesn't show the corresponding activity that originates it. This situation occurs when there's no UI visibility of an event in the Process Activity. Instead you see the error below: Cause: EDR increases the number of events that are displayed in the Process activity section. But, some of them can still be missing. It doesn't relate the suspicious activity to an activity in the chart or tables because content evolves with higher cadence than UI. Solution: Make sure that there are no filters applied to the graph. If the event is still not displayed, analysis must investigate all activity to properly identify the trigger of the suspicious indicator. |
|||
| SEC-35355 | Issue: Filtering by "Observed Techniques" or "Suspicious Indicators" in the Monitoring dashboard might not show the corresponding activity that originates it. This situation can occur when you don't load all activity apply filters that are applied in the Process Activity widget. Instead, you see the error below: Cause: To improve the speed to show the Process Activity once a new threat is selected in the monitoring dashboard, the UI loads data in two phases. The initial phase partially loads data. It prioritizes process genealogy information. As a result, the activity that originates an observed technique or suspicious indicator might not be loaded. Solution: Click the Show all activity option. All activity loads. Then, filter again for the required Observed technique. |
|||
| SEC-35377 SEC-35378 |
EDR Client 3.3.0.625 | Issue: The Cause: On SUSE Linux Enterprise 15, This deprecation might also apply to other Linux distributions that no longer include the net-tools package by default. Solution: Because |
||
| SEC-36169 | EDR Client 3.2.0.567 Content Data Update 3.2.0.313 |
Content Data Update 3.3.0.368 | Issue: EDR snapshot tool doesn't work properly after an EDR content update. You run the snapshot tool, but the tool fails to take a snapshot. You see the following error: Cause: An EDR content update leaves conflicting job definitions. Solution: Remove the EDR Client content package from the Master Repository until an updated content is provided. On affected hosts to be investigated, use the Remove File reaction available in |
|
| STLS- 916 |
Issue: MVISION EDR can't connect to the configured DXL broker. If you look in the DXL broker IPE log, you see the error below:
Cause: There are two possible causes:
Solution:
|
|||
| SEC-33805 | Issue: Duplicate listings of ePO servers are seen in the Configuration Page, under Configure data sources. Cause: Connection issues. Solution: Refresh the UI. You can ignore the issue. This issue is cosmetic and doesn't affect product function. |
|||
| SEC-34655 | Issue: You take a manual action to quarantine or End-quarantine a device in the Investigation dashboard. But, the state isn't updated until it's refreshed. Then, the End-quarantine action doesn't display after a quarantine action. Cause: Investigation doesn't refresh options after an action. Solution: Refresh the UI. |
|||
| SEC-33791 | Issue: After you switch between threats in the monitoring screen, the process activity displays the message below: It then loads the correct process activity. Cause: Engineering may have updated the widget to load faster and in phases, causing this issue. Solution: Wait until the process activity fully loads. |
|||
| SEC-31708 | 3.2.0.567 | Issue: Investigations via phishing email don't display or add artifacts. (U.S. ONLY) | ||
| SEC-31410 | 3.2.0.567 | 3.2.0.571 | Issue: The EDR client process ( Workaround: Disable the Unattended Content Updates on the EDR Policy, General tab. |
|
| 3.0.0.404 | 3.2.0.567 |
Issue: Can't end Quarantine in an endpoint that's using a VPN
Solution:
|
||
| 3.1.0.478 | 3.2.0.567 | Issue: You see high CPU usage and slowdown on 32-bit Windows clients. Workaround: Disable the Trace for affected endpoints. Or, if experiencing issues with specific processes, exclude them. See the Product Guide for further information about making these changes. Solution: This issue is resolved in 3.2.0.567. |
||
| 3.1.0.478 | Issue: During the upgrade of EDR Client on Windows 7, a pop-up message displays for a few seconds with the title: This message doesn't affect the installation. The product successfully installs. Cause: The Windows service Interactive Services Detections is enabled. This service is disabled by default and is available only on Windows 7. Workaround: Temporarily disable the Windows service Interactive Services Detections during the upgrade of EDR Client. |
|||
| 3.1.0.478 | Content Data Update 3.2.0.308 | Issue: EDR Content Data Update 3.0 fails to download when EDR Client 3.1 or later is installed. Cause: Content Data Update 3.0 doesn't recognize version 3.1 or later. Workaround: Check in the latest Content Data Update 3.1 or later to the Master Repository. The update is available from the ePO Software Catalog. |
||
| 3.0.0.404 | 3.1.0.478 | Issue: The EDR Trace database grows larger than the maximum size configured in the policy. The database is at |
||
| KB92292 | MACC extensions 8.2.6 and 8.3. | Issue: The Cause: Execution Control in ACC 8.x added default Execution Control Rules and rule groups. These rule groups need to be updated to allow the newer version to run. Workaround: See the related article. Solution: This issue is fixed with the release of ACC extensions 8.2.6 and 8.3. |
||
| ENS Exploit Prevention content released March 2020, or later, fixes this issue. |
Issue: An EDR Reaction fails to execute in the endpoint.
Cause: An option in ENS prevents EDR from running some Workaround: Add an exclusion to the EDR service in the ENS Exploit Prevention policy:
|
|||
| 3.0.0.355 | 3.1.0.478 |
Issue: On Windows 10 build 1607 (RS1), applications such as Microsoft Office, Adobe Acrobat Reader, and Chrome, fail to start.
Workaround 1: Install all Windows updates for build 1607 (RS1). Workaround 2:
NOTE: By disabling this option, the EDR client doesn't detect when a process injects another process.
|
||
| 3.0.0.355 | Issue: Installation of some applications that perform intensive file moves, removals, or changes, displays errors and fails to complete. Cause: The EDR client locks these files during the installation. Workaround 1: Disable the Trace plug-in during the installation. Workaround 2: Add the installer or process that runs it to the ignored files into the Trace Policy. |
|||
| 3.0.0.355 | 3.2.0.567 |
Issue: When you quarantine an endpoint connected to a VPN, the endpoint becomes unreachable.
You can't send the reaction to End the Quarantine. Workaround:
|
||
| 3.0.0.404 | 3.0.0.432 | Issue: The network verbosity feature is enabled by default. The results are an unnecessary collection in the endpoints and unnecessary traffic in the customer network. Workaround: For on-premises ePO, open all active EDR policies in ePO and save each one without making any changes. This action disables the verbosity configuration. For MVISION ePO environments, clone the My Default policy, edit, save without any changes, and then assign it to all your endpoints. |
||
| 3.0.0.355 | 3.0.0.404 | Issue: On Windows Redstone 5 and later, Internet Explorer or Edge might lose internet connection when using a proxy configuration file. But, other browsers like Chrome or Firefox continue working properly. Workaround: Manually enter your proxy settings in Internet Explorer or Edge. |
||
| 3.0.0.432 | Issue: The EDR service doesn't start if MVISION EDR is installed on an endpoint with ENSM installed. Workaround: Technical Support has a script to fix the issue. Contact Support to obtain this script. |
|||
| Fixed by upgrading to MA 5.6.3 | Issue: Proxy autoconfiguration script files, such as In this situation, Internet Explorer can still use the MA reports no usable proxy found in the Workaround: Reboot the endpoint. |
|||
| Issue: In MVISION ePO, Mac and Linux EDR clients aren't yet supported. Solution: Not available. For environment information, see KB91345 - Supported platforms for MVISION EDR. |
||||
| 3.1.0.478 | Issue: The MVISION EDR client service stops working if you install or upgrade the MVISION Endpoint client after it's installed on a Windows system. Solution: Restart the service by restarting the operating system. |
|||
| 3.0.0.404 | Issue: During EDR Client installation, Visual C++ Redistributable Package removes binaries for non-target architectures. Specifically, This issue is a Microsoft runtime issue in Visual C++ Redistributable Package. Solution: Apply the updated distributable available on the Microsoft site. |
|||
|
Issue: Can't install MVISION EDR client with ENS 10.6.2/6.3 in Linux because of failed dependencies:
You see the error below: Solution: Upgrade to ENS 10.6.4 or later. |
||||
| 3.0.0.404 | Issue: The Monitoring or Historical Search dashboards might display incorrect information about the device. Incorrect information includes the operating system version, MAC address, or ePO tags. | |||
| Issue: The Include and Exclude filters in the Historical Search Dashboard don't filter the Alerts and Detections |
||||
| Issue: Hierarchy in the process tree from the Process Activity widget breaks. Cause: The parent process isn't present. As a result, the sequential and timeline view in Process Activity doesn't show the process tree correctly. Workaround: Select another detection instance for the same threat from the Device section in the Monitoring dashboard. |
||||
|
Issue: When you disable telemetry feedback options, the feedback option requires that you accept the sharing of telemetry data. If you don't accept it, the send button on the feedback section isn't enabled.
Solution: Enable telemetry settings:
|
||||
| Issue: Duplicated alerts are seen. When a Process Injection is detected as a threat in the Monitoring dashboard, the Injector process and Injected process are shown as potential threats. So, they can be perceived as duplicated threats. | ||||
| Client 3.0.0.175 | Issue: [Agent] When you disable or enable the trace plug-in, the traces aren't sent to the cloud until you reboot the endpoint. Solution: If you enable the trace plug-in on an endpoint through the MVISION EDR endpoint policy after it's previously disabled, you must reboot the endpoint to have trace data sent again. Endpoint activity isn't monitored until the reboot is completed. |
|||
| MVISION EDR extension version 3.0.0.758 | Issue: Unable to open the MVISION homepage from on-prem ePO. The MVISION EDR homepage link from the McAfee ePO menu doesn't work. Solution: Access the MVISION EDR page. Fixed in MVISION EDR Client version 3.0.0.175. |
|||
| Issue: After installation, the EDR extension server settings display a Host Timeout Error. The SIEM connection on the MVISION EDR settings available in Server settings on ePO show the connection as: Solution: When the SIEM is configured correctly, this setting changes to Connection Successful as expected. |
||||
| Issue: Device Name isn't displayed under Affected Devices, Threat Details session in Monitoring workspace. Solution: Follow the deployment steps as documented in the Installation Guide or UI wizard. If the MVISION EDR client is deployed in the endpoints before it completes the extension installation flow, some device information might not be displayed. Information such as host name or IP address might not be displayed in the Device panel of the Monitoring dashboard. To fix the problem, reboot the unlisted device. |
Back to top
Related Information
To contact Technical Support, go to the Create a Service Request page and log on to the ServicePortal.
- If you are a registered user, type your User ID and Password, and then click Log In.
- If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.
Affected Products
Languages:
This article is available in the following languages:
English United StatesSpanish Spain
French
Italian
Portuguese Brasileiro
